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Description 

The invention relates to a value transfer system 
for cashless transactions. Several kinds of cashless 
financial transaction services are available. These in- s 
elude credit cards and debit cards which customers 
may use with a wide range of retailers. Each transact 
tion is accompanied by the provision of customer ac- 
count details required for the actual transfer of funds 
between the specific customers and the specific re- io 
tailers. 

Another form of cashless card system is the pre- 
payment card system, where a card is purchased prior 
to a series of transactions and a value record record- 
ed on it is appropriately decremented on each trans- is 
action. A 'phone card is an example of a prepayment 
card. 

Such prior systems are inflexible and are no gen- 
eral substitute for cash in low value high volume 
transactions. Various proposals have been put for- 20 
ward to allow the interchange of money values be- 
tween "^electronic purses". For example, United 
States Patent No 4839504 (Casio Computer Co Ltd) 
discloses a system where a user is able to load money 
value onto an integrated circuit (iC) card, otherwise 25 
known as a smart card, by communication with his 
bank. At the bank the same value is applied to a sep- 
arate IC account set up for the user. Purchases are 
able to be made by transfer of money values from the 
IC card to retailer equipment off-line from the bank. 30 
Each transaction requires transmission to the retailer 
and retention by him of details which include the pur- 
chaser's identity. Ultimately, in claiming funds from 
the bank the retailer presents a list of transaction de- 
tails and there is account reconciliation to allow the IC as 
account of the appropriate purchaser to be adjusted. 

Procedures which, as above, require ultimate ac- 
count reconciliation for every transaction are attend- 
ed by two disadvantages. The first is practical. The 
storing, transmitting and reconciling of purchaser de- 40 
tails for every transaction places an impossible bur- 
den on equipment if all cash type transactions are 
contemplated. Processing all such transactions effi- 
ciently in an acceptable time is not possible, even 
with the most modern equipment The second objec- 4S 
tion is social. The anonymity of cash would be lost and 
potential would exist for details of personal spending 
habits to be derived. 

The second of the above objections has been ad- 
dressed by Chaum in "Controlling your information so 
with a Card Computer" ("Concepts Applications Activ- 
ities" published by TeleTrust March 1989). Chaum 
proposes a system of "bl ind signatures" of money val- 
ue items effected by an authorising entity such as a 
bank. This is a way of preventing ready identification ss 
of purchasers. However, a problem remains in that 
double payment by a purchaser must be detectable 
and Chaum meets this difficulty by Including, in the 



data transferred in an off-line transaction, encrypted 
information concerning the purchaser. This informa- 
tion is relayed to the bank when the retailer claims 
credit and is used at the bank to detect double use of 
the same "electronic cash". Also, each signed item is 
recorded at the bank to make possible ultimate rec- 
onciliation of claims against these items, albeit with- 
out customer Identification. The problems of storage, 
transmission and processing of individual transaction 
infonmation remain. Additionally, Chaum introduces 
another difficulty. His system requires that each item 
of signed "electronic cash" should be treated as a unit 
and is incapable of division. Again this means that the 
system is inappropriate for small value high volume 
transactions. 

The present invention seeks to provide a practical 
solution to the problem of providing a framework suit- 
able for cashless small value high volume transac- 
tions. 

According to the invention there is provided a val- 
ue transfer system having a computer system; a plur- 
ality of electronic purses, one or more of the electron- 
ic purses being bulk purses; exchange devices 
whereby purses may communicate with each other to 
transfer value in transactions which are off-line from 
the computer system; a value meter system; draw- 
down means for loading said bulk purse or bulk purs- 
es with value under control of the computer system 
via the value meter system; redemption means for re- 
deeming value from said bulk purse or bulk purses 
under control of the computer system via the value 
meter system; the value meter system recording one 
or more float value records whereby the net value re- 
leased to the bulk purse or purses may be derived, the 
net value being the difference between the total of 
values drawn down to the bulk purse or bulk purses 
and the total of values redeemed from the bulk purse 
or bulk purses, the float value record being non-spe- 
cific with regard to individual transactions. 

The value meter system may have an interface 
whereby the float value record may be adjusted on 
command so as to create or destroy value within the 
bulk purse or purses. 

Preferably there is provided, in each purse, stor- 
age means which stores a purse value record which 
Is accumulative and, In each purse or associated ex- 
change device, a microprocessor, transactions being 
conducted between purse pairs, one of which, the 
sending purse, sends value and the other of which, 
the receiving purse, receives value, the microproces- 
sors being programmed so that in each off-line trans- 
action the purse value record in the sending purse is 
decreased by a chosen and variable transaction val- 
ue and the purse value record in the receiving purse 
is increased by the same transaction value. 

By providing a float value record which is non- 
specific anonymity is ensured and reconciliation with 
customer accounts for all subsequent purse to purse 
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transactions is unnecessary. 

The above combination of features allows trans- 
actions to be effected and entirely completed without 
subsequent recourse or reference to any third party, 
and in particular without reference to the computer 5 
The advantages in tenms of anonymity and computer 
processing time are clear. A retailer, for example, may 
make claims to redeem value from time to time, the 
nature and identity of all the off-line transactions 
which contribute to the retailer purse value record io 
playing no part In the claim. 

Preferably the purses have means whereby a 
transaction between a pair of purses is given a unique 
identifier and the microprocessors are programmed 
to respond to the Identifiers to prevent a given trans- is 
action being repeated. No reference is then required 
to the computer to determine whether the same "elec- 
tronic cash" is being used twice. In claiming to re- 
deem value the computer is accessed and It will be 
possible to determine whether the same claim Is be- 20 
ing made twice, either directly or, since a claim may 
be simply another transaction, by means of a trans- 
action identifier. The transaction identifier is prefer- 
ably sent from the transmitting purse to the receiving 
purse, being conveniently derived from data identify- 25 
ing the receiving purse and a receiving purse trans- 
action sequence number or electronic date/time 
stamp obtained from the receiving purse in a prelim- 
inary "hand-shaking" operation. In this way the re- 
ceiving purse can monitor the transaction and any at- 30 
tempt to transmit the same value record twice will be 
foiled. 

Security of the system demands that crypto- 
graphic techniques be employed to prevent fraud. 
The most effective cryptographic techniques are 35 
asymmetrical In that they require different keys to en- 
crypt and decrypt information. One well-known and 
suitable cryptographic technique is that attributed to 
Rivest, Shamir and Adieman, known as the RSA sys- 
tem. It is envisaged that both purses of a communi- 40 
eating pair may employ the RSA system equally in a 
balanced way for algorithmic processing. However, 
whereas RSA encryption is straight-forward, relative- 
ly powerful computing facilities are required to exe- 
cute RSA decryption conventionally in a short time. In 45 
order to overcome this difficulty, in the interests of 
economy and speed, it is proposed in accordance 
with a feature of the Invention that an unbalanced sys- 
tem be used in which the processing capability re- 
quired by consumer purses is significantly less than so 
that required by retailer purses. 

Each user of an asymmetrical key cryptographic 
system has a key pair, namely a public key and a se- 
cret key. Messages to another are encrypted using 
the other's (remote) public key which is made avail- 55 
able, perhaps by a key exchange procedure. Re- 
ceived messages are decrypted using the local secret 
key. Use of a public key is far less demanding of comv 



puting power than use of a secret key so that conven- 
tionally encryption requires less computing overhead 
than decryption. Therefore, in implementing an un- 
balanced system of the kind described it is expedient 
to remove the requirement that the consumer puree 
performs conventional RSA decryption. 

A first way of reducing the cryptographic burden 
in the consumer puree is to provide it with a simpler, 
symmetrical, cryptographic system. Such a system 
uses the same key for encryption and decryption. An 
example is the DES cryptographic system (Data En- 
cryption Standard - US FIRS 46,1976). Retailer purs- 
es retain the full power of the RSA system. 

A second method is to use the consumer purse's 
own public key / secret key system for the inter- 
change of data. In an exchange of keys the consumer 
purse sends its secret key to the retailer puree. In the 
transmission of data to the retailer puree the consum- 
er puree would encrypt using its own public key and 
the retailer puree would decrypt using the consumer 
puree's secret key. 

Security can be enhanced by using electronically 
certified data, for example digitally signed data, in the 
transaction process. Each puree on issue will be al- 
located a characteristic number and will have that 
number signed by the secret key of an asymmetrical 
global cryptographic system. The result will be a glo- 
bal signing of the number and this is stored In the 
puree. All purees will carry the public key of the global 
pair so that on receipt of another's globally signed 
number it will be possible to verify that it is valid. The 
numbere can be regarded as globally certified. Since 
transactions will require the exchange of encryption 
keys it is convenient, although not necessary, to ar- 
range that the globally certified numbere are the en- 
cryption keys to be exchanged. 

The electronic purees may take a numt>er of 
physical forms. They will include computer process- 
ing facilities which may be incorporated in IC or 
"smart" cards, key fobs, wallets or the like or built into 
electronic equipment such as point-of-sale equip- 
ment or calculators, for example. 

Communication with the computer will generally 
be established by telephone and purses may be Incor- 
porated in telephones or modems, since it is possible 
that desired transactions may be conducted entirely 
by telephone. However, a more generally convenient 
arrangement Is to have a portable puree such as an 
IC card which is loaded via modem connection either 
by a device specific to the individual or by automatic 
teller machine, for example. 

Purees may communicate with each other for the 
transfer of values by means of communication devic- 
es. These may have slots for two purees or may each 
hold a puree and communicate with each other by In- 
fra-red light or electromagnetic radiation, for exam- 
ple. 

Reference was made above to the difficulty of 
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providing fast asymmetricat cryptographic facilities in 
very small and inexpensive devices such as IC cards. 
Clearly, it Is more readily possible to provide such fa- 
cilities in a communication device or in a modem. 
Therefore, even though consumer purses may lack 5 
full computing power themselves, this may be provid- 
ed by communication devices which have access to 
the consumer purse memories and public keys. Thus, 
while it is readily possible to exchange value records 
person to person if all purses have full asymmetrical io 
cryptographic facilities this Is also possible if the 
purses are simple and intelligent communication de- 
vices are used. 

At least the retailers' equipment will generally 
have the capability to store transaction information. is 
This may be in memory or on disk or on another card 
or by some other means. Indeed, the equipment may 
comprise a transfer device for transferring value from 
the consumer's IC card to a retailer's IC card. The 
storage capacity of the retailers' equipment need not 20 
be large since it is only an accumulated total which 
needs to be stored. However, It is envisaged that In 
addition to the transaction values, other information, 
for example about the identity of the consumer and/or 
retailer may be exchanged to allow a transaction 25 
print-out to be derived locally for analysis purposes. 
Codes for the goods may be included. 

As well as the usual point-of-sale terminals either 
attended or unattended, the retailers' equipment may 
include automatic vending machines, travel ticket dis- so 
pensers, car parking machines, road toll booths, etc. 
Although security to use a purse may be provided by 
the requirement to key a PIN code, this is not essen- 
tial and a preferred an^ngement dispenses with this 
requirement to facilitate use. However, it is envisaged 35 
that each purse may have a PIN protected memory 
and an unprotected memory, the system being such 
that by use of a terminal or pocket exchange device, 
value records may be transferred by use of the PIN 
code from the protected to the unprotected part of the 40 
purse. 

As mentioned above, individuals may carry their 
own pocket exchange devices to allow interchanges 
of transaction values person to person. Refunds may 
be given or cheques "cashed" by retailers In an equiv- 45 
alent manner. 

Value records may be loaded on to the purses in 
selected currencies for use In appropriate countries. 

While it is possible that the system of the present 
invention could be run by a single financial institution 50 
it Is envisaged that various financial institutions of a 
federal, national or international nature would have 
their own computers with value meters and float value 
records, the totality of the float value recortis repre- 
senting the total value in circulation (in all purses), the 55 
funds represented thereby being apportioned be- 
tween the participating institutions as agreed on the 
basis of their respective regulated float files. 



The invention will further be described with refer- 
ence to the accompanying drawings, of which: 
Figure 1 is a schematic drawing of a banking com- 
puter system in accordance with the invention; 
Figure 2 is a diagram Illustrating the value meter; 
Figure 3 is a diagram illustrating an example of a 
value transaction procedure using a full RSA 
cryptographic system; 

Figure 4 Is a diagram Illustrating an example of a 
value transaction procedure using a secret key 
transmission technique; 

Figure 5 is a diagram Illustrating an example of a 

value transaction procedure using a mixed 

RSA/DES cryptographic system; 

Figures 6 and 7 depict one possible embodiment 

of typical devices of the invention. 

Referring to Figure 1 there are shown three clear- 
ing banks 1 , 2 and 3 with respective computers 1 a, 2a 
and 3a. The computers have files containing account 
details of the banks' consumer and retailer custom- 
ers. Each computer also has a value meter 1 b, 2b, 3b 
which shows a float value record. The actual funds 
represented by the non-specific float value records 
may reside in one or more of banks 1, 2 or 3, or else- 
where. 

Each bank has a bulk purse 1c, 2c, 3c which is 
connected to the respective value meter and which 
has a memory with a purse value record. Terminals 5 
are connected by telephone selectively to computers 
1, 2 and 3. Typically terminals 5 may be home conv 
puter terminals or terminals available in public places. 
Consumers have electronic purses in the form of IC 
cards 6. These cards have microprocessors and 
memories. In the memory of each card is stored a 
purse value record 7. The cards have contacts 8, 
whereby the cards can interact with terminals 5 via 
card readers 9. By making appropriate requests at the 
keyboard of the terminal, a consumer may be con- 
nected to the computer of his bank, 1 , 2 or 3 and may 
request a value record to be loaded to his purse. If the 
bank authorises the request, the bulk purse Is in- 
structed to institute a draw-down of value to load 
purse value record 7 with the value requested. The 
card is now ready for use. 

Further electronic purses are contained in termi- 
nals 10, 11 which are equipped with IC card readers 
9, located at different points-of-sale. To use his card 
the consumer presents it to the retailer where it is in- 
serted into reader 9. The required value of the trans- 
action is keyed In and by agreement the total held in 
the purse value record of the purse 6 is reduced by 
the amount of the transaction. The purse value record 
of the purse held within the tenninal 10 or 11 is in- 
creased by the same transaction value. The consum- 
er takes his goods and is free to use the card up to 
the total held in the purse value record of his purse in 
other retailers' equipment 

Periodically a retailer may redeem value repre- 
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sented by the purse value record held in the purse of 
his terminal 10 or 11, Irrespective of the consum- 
ers' identities and without presenting any details of 
the individual transactions that have given rise to the 
total accumulated value. This may be done by con- s 
necting the temiinal 10 or 11 to the retailer's bank 1. 
2 or 3 as appropriate and requesting a redemption of 
value. The bank's computer then Instructs a redemp- 
tion transaction which accepts value from the termi- 
nal purse. The bank computer credits the retailer's ac- io 
count with funds. The value meters form the basis for 
allowing control of the total amount of value In circu- 
lation in all the purses and for apportioning, on an 
agreed basis, funds representing the total value. 

The bulk purses 1c, 2c, 3c differ from the other is 
purses In being capable of having value loaded and 
redeemed via the value meter, as well as by purse to 
purse transactions. In all other respects the purses 
are technically similar. It being understood In particu- 
lar that the same cryptographic techniques for bulk 20 
purse to other purse transactions (on-line) used are 
the same as for off-line transactions. Figure 2 shows 
the value meter as including an indicator 12 which 
shows a float value record. This is. in this case, the 
net value released to the bulk purse 1 c, being the dif- 25 
ference between the total of values drawn down via 
the meter and the total of values redeemed via the 
meter. It will be appreciated that the Individual gross 
draw-down and redeemed values may be indicated as 
well as or instead of the net value, it being readily pos- 30 
sible to derive the net value from the gross values, 
even if not directly indicated. The link 13 between the 
value meter and that of each of its bulk purses is se- 
cure. The purse may be physically adjacent to the val- 
ue meter and security ensured by physical locks etc. 35 
Alternatively, the bulk purse may be remote from the 
value meter and security is achieved by cryptograph- 
ic techniques. It is important to ensure that the value 
meter always accurately represents the value re- 
leased to the bulk purse and no fraudulent alteration 40 
can take place. Each value meter has an interface 14 
which may be a link to the bank computing facility or 
a keyboard unit. Authorised personnel may enter val- 
ues to be added to or subtracted from the float value 
record, representing a creation or destruction of value 45 
to be circulated. Thus, value to be circulated may be 
adjusted in bulk, perhaps daily, instead of on demand 
In response to individual draw-downs and claims. 

Using the float value reconj in th Is way allows off- 
tine interchange of value, given suitable terminals, be- so 
tween consumers and retailers, retailers and con- 
sumers and consumers and consumers, without the 
need to maintain large numbers of accounts or de- 
tailed account to account reconciliations. 

Consumers themselves may adjust the purse val- 55 
ue records in their purses by person to person inter- 
change or by refunds etc from retailers. It Is envis- 
aged that purse value records may be transferred to 



individual accounts by a claiming procedure from the 
float value record in a similar manner as retail- 
ers' claims. 

Purses may be used on an international basis by 
loading different currencies In them. It is envisaged 
that each country or group of countries will hold a 
float value record in the appropriate currency. Appli- 
cation by a consumer to load his purse with a foreign 
currency may result in his domestic account being 
debited by the appropriate amount in his own curren- 
cy and the respective foreign currency float value re- 
cord being Increased. 

A purse value record held in a purse may be con- 
verted to a different currency on request, the conver- 
sion being effected at the appropriate rate and result- 
ing in a transfer of value from the float value record 
of one currency to that of another currency and a cor- 
responding conversion of funds between the curren- 
cies. 

Figure 3 shows the procedure during an off-line 
transaction in a first embodiment of the invention. 
Both purses have full RSA asymmetrical crypto- 
graphic capability. The sending purse has a store SS 
which holds an accumulative value record Svrand the 
following RSA keys: sender public and secret keys 
Pks and Sks and global public key Pkg. In addition 
there is a certified data message [Pks]«Skg. This is 
the sender purse's unique public key signed by the 
master computer with its global secret key Skg. The 
public key Pks is thus electronically certified as valid 
by the system. The receiver purse has a store RS 
which holds an accumulative value record Rvr and the 
receiver purse's own RSA public and secret keys 
Pkr,Skr, the global public key Pkg and a certified pub- 
lic key data message [Pkr]«Skg. 

The first step of the transaction procedure Is for 
the receiving purse to issue a transaction identifier 
number R. This is derived from a combination of the 
receiving purse Identity and a transaction sequence 
number for that purse. Two-way communication be- 
tween the purses is established, perhaps locally by 
direct connection or by Infra-red link or the like or re- 
motely by modem and telephone. The following steps 
are followed: 

1 . The receiving puree transmits a request mes- 
sage which Is Pkr]'»Skg+[R]*Skr. 

2. The sending puree is able to check [Pkr]«Skg 
by use of the public global key Pkg. This gives the 
sending puree the authentic key Pkr to verify 
[R]«Skr and hence recover R. 

3. A value V which is required to be transferred is 
decremented from the puree value record Svr. 

4. The sending puree constructs a transaction 
value message VR from value V It wishes to 
transfer and from the request message R. This Is 
signed with the sender's secret key and the fol- 
lowing transaction value message Is transmitted 
to the receiving purse: 
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[Pks] « Skg + [VR] •» Sks 

5. The receiving purse obtains the public key Pks 
by use of the public key Pkg thereby verifying the 
message [Pks]«Skg. 

6. Use of the public key Pks thus found verifies s 
[VR]»Sks and hence recovers VR. 

7. R is checked to ensure that it carries the iden- 
tity of the receiving purse and the appropriate 
transaction number. If not the transaction is 
aborted. to 

8. If all is well, the value V is added to the purse 
value record of the receiving purse. 

9. Asigned acknowledgement is sent to the send- 
ing puree. 

Transaction logs StI and Rtl are held by the send- is 
ing and receiving purse stores. The logs may carry 
such details as are required for analysis of transac- 
tions locally, but in the simplest form the logs carry re- 
cords only of any transaction which has failed for 
some reason. This can be used for checking In the 20 
event of a dispute. 

RSA encryption and decryption require calcula- 
tion of the expression xy mod n where y is different for 
encryption and decryption. In particular the index y 
for encryption (embodied in the public key) is small 25 
and the corresponding index for decryption (embod- 
ied in the secret key) is very much larger. As a con- 
sequence, while modest computing power can handle 
encryption in an acceptably short time the same is not 
true for decryption. The creation of a certified (eg dig- 30 
itally signed) message has an equivalent processing 
overhead to decryption, the checking of such a mes- 
sage has an equivalent processing overhead to en- 
cryption. The embodiments illustrated In Figures 4 
and 5 provide arrangements which allow one of the 35 
pair of communicating purees to be of lower comput- 
ing power, and therefore less expensive, than the 
other. In these arrangements some purees of the sys- 
tem (retailer purses) have full RSA capability (en- 
cryption and decryption capability) whereas the re- 40 
mainder (consumer purses) Include a symmetrical 
key cryptographic system for transmitting transaction 
value record messages. A suitable symmetrical key 
cryptographic system is the DES system. This re- 
quires for encryption and decryption a level of com- 4S 
puting power similar to the power required for RSA 
encryption. 

Referring to Figure 4 there is illustrated the trans- 
action procedure between two purses where the 
sending puree is a consumer puree and the receiving so 
puree is a retailer puree. The retailer puree has full 
RSA capability whereas the consumer puree has a 
lower power computing facility. The sending purse 
has a store CS which holds an accumulative value re- 
cord Cvr and the RSA global public key Pkg. In add!- ss 
tion there is a DES key DESc and a certified data 
message [DESc]«Skg which Is the sending puree's 
unique DES key signed by the master computer with 



its global secret key Skg. The receiving purse has a 
store SR which is identical with the store SR of the 
Figure 3 embodiment, holding Pkr,Skr,Pkg and 
[Pkr]«Skg. 

The first step in the transaction procedure is for 
the receiving puree to issue a transaction Identifier R 
as in the embodiment of Figure 3. Then the following 
steps are taken: 

1 . The receiving purse transmits its certified pub- 
lic key message [Pkr]«Skg. 

2. The sending puree checks the signed message 
and derives Pkr. 

3. The sending puree encrypts its certified mes- 
sage using Pkr. Since the index y of a public key 
such as Pkr is small, encryption with it is compu- 
tationally easy. The message sent to the receiv- 
ing puree is 

Epkr [[DESc] « Skg] 

4. The receiving puree decrypts the message 
firstly with its secret key Skr to derive 
[DESc]«Skg which itself is checked with Pkg to 
give verification and derive DESc. 

5. The receiving purse transmits the message 
[R]«DESc which is the transaction identifier R 
encrypted with a DES integrity algorithm. 

6. The receiving puree decrypts the message in 
DES, derives the transaction identifier R and 
constructs the transmission value message VR 
in the same way as in the Figure 3 embodiment. 

7. The sending puree decrements the value V 
from its purse value record and sends the mes- 
sage [VR]«DESc to the receiving puree. 

8. The receiving puree decrypts [VR]*DES and 
checks that R Is correct If not the transaction is 
aborted. 

9. If all is well the value V is added to the receiving 
puree's puree value record and an acknowledge- 
ment message is sent to the sending puree. 
Referring now to Figure 5 there is shown a trans- 
action procedure which allows the purees to have un- 
balanced computing power while using the keys of an 
asymmetrical cryptographic system. In Figure 5 the 
store RS of the receiving puree has the same keys as 
In the Figure 3 embodiment The computing power of 
the sending puree is less than that of the receiving 
puree and instead of the signed public key, the send- 
ing purse holds a signed secret key [Sks]«Skg (which 
also incorporates Pks). 

A transaction procedure has the following steps: 

1 . The receiving purse transmits the signed mes- 
sage [Pkr]«Skg. 

2. The sending puree checks the signed message 
with Pkg. verifying [Pkr]*Skg and hence recover- 
ing Pkr. 

3. The sending puree encrypts Its signed mes- 
sage with Pkr and sends Ep^r DSks]«Skg]. 

4. The receiving puree decrypts the message 
f iretly with the use of its secret key Skr to give 
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[Sks]«Skg and then uses the global public key 
Pkg to verify [Sks]*Skg, thereby recovering Sks, 

5. The receiving purse signs the transaction Iden- 
tifier R with Sks and sends [R]«Sks. 

6. The sending purse derives R by the use of Pks. $ 

7. The sending purse decrements its purse value 
record by the required amount V, and constructs 
and sends a value message Epics [VR]. 

8. The receiving purse decrypts the message 

with the use of Sks to derive V and R. R is io 
checked and if it is inconrect the transaction Is 
aborted. 

9. If all is well the purse value record of the receiv- 
ing purse is incremented by V, the key Sks in the 
receiving purse is discarded and an acknowl- is 
edgement message is sent to the sending purse. 
Figure 6 shows one embodiment of the invention 

in the fomn the pocket exchange device referred to 
above. This device PED is battery powered or solar 
powered and has an LCD screen 15 and IC card read- 20 
er 16. The consumer's card is inserted in reader 16 
and it may then be interrogated by means of keys 1 7 
to 21. Keys 1 7 allow the user to scroll through log en- 
tries and balances resident on the card, accessed via 
keys 1 9 and 20. Keys 1 8 and 21 allow interchange be- 25 
tween two cards, via an intemiediate store within the 
device. 

Figure 7 depicts a device such as may be found 
at a retailer's point-of-sale. Similar terminals without 
retailer functions may be located in financial institu- 30 
tions or in other public places for the use of consum- 
ers in accessing their bank account for the purpose of 
loading and unloading their cards. The device T con- 
sists of a point-of-sale terminal, bearing an LCD (or 
other) display 22, and an IC card reader 23. By means 35 
of keyboard 24 the total of a retail transaction may be 
entered into the temiinal. Keys 25 and 26 initiate the 
transaction with the IC card, Inserted in reader 23. Af- 
ter hours, the retailer can prepare the tenminal for 
transmission of value to the bank's host by depress- 40 
ing key 27. 

Claims 

45 

1. A value transfer system having a computer sys- 
tem (1a,2a,3a); a piuretity of electronic purses 
(1c,2c,3c,6), one or more of the electronic purses 
being bulk purses (1c,2c,3c); exchange devices 
(5, 1 0. 1 1 ) whereby purses may commu nicate with so 
each other to transfer value in transactions which 
are off-line from the computer system; a value 
meter system (1b,2b,3b); draw-down means for 
loading said bulk purse or bulk purses with value 
under control of the computer system via the val- 55 
ue meter system; redemption means for redeem- 
ing value from said bulk purse or bulk purses un- 
der control of the computer system via the value 



meter system; the value meter system recording 
one or more float value records whereby the net 
value released to the bulk purse or purses may be 
derived, the net value being the difference be- 
tween the total of values drawn down to the bulk 
purse or bulk purses and the total of values re- 
deemed from the bulk purse or bulk purses, the 
float value record being non-specific with regard 
to individual transactions. 

2. A value transfer system as claimed in Claim 1 
wherein the value meter system has an Interface 
whereby each float value record may be adjusted 
on command so as to create or destroy value 
within the bulk purse or purses. 

3. Avalue transfer system as claimed ineitherofthe 
preceding claims comprising, in each puree, stor- 
age means which stores a puree value record 
which is accumulative and, in each purse or as- 
sociated exchange device, a microprocessor, 
transactions being conducted between puree 
pairs, one of which, the sending purse, sends val- 
ue and the other of which, the receiving purse, re- 
ceives value, the microprocessors being pro- 
grammed so that in each transaction the purse 
value record in the sending purse is decreased by 
a chosen and variable transaction value and the 
puree value record in the receiving purse Is in- 
creased by the same transaction value. 

4. A value transfer system as claimed in Claim 3 
wherein the microprocessors are programmed so 
that in a transaction between members of a puree 
pair the transaction is given a transaction identi- 
fier specific to at least one of the purees and 
unique within that purse. 

5. A value transfer system as claimed in Claim 4 
wherein the microprocessors are programmed 
such that the transaction identifier is specific to 
the receiving purse and is unique within the re- 
ceiving puree by the inclusion of a receiving puree 
transaction sequence number. 

6. A value transfer system as claimed in Claim 5 
wherein the microprocessors are programmed 
such that a transaction includes the steps of 
sending a request message including the trans- 
action identifier from the receiving puree to the 
sending puree, incorporating the transaction 
identifier in a transaction value message sent 
from the sending puree to the receiving purse and 
controlling acceptance of the transaction value 
message in the receiving puree on the basis of 
the validity of the transaction identifier received. 

7. A value transfer system as claimed in any of the 
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preceding claims wherein the microprocessors 
are programmed to employ an asymmetrical 
cryptographic system having different public and 
secret keys and each purse has at least a public 
key of the system stored. s 

8. A value transfer system as claimed in Claim 7 
wherein each purse stores data signed in the 
cryptographic system by the computer system 
with a global secret encryption key, the signed io 
data thereby being electronically certified, and 

the microprocessors are programmed such that 
each transaction includes the steps of checking 
certified purse data by means of the global public 
key. 15 

9. A value transfer system as claimed in Claim 7 or 
Claim 8 wherein each purse stores its own unique 
public/secret key pair in the cryptographic system 

and the microprocessors are programmed so that 20 
the transmission of transaction data is encrypted 
and decrypted using these keys. 

10. A value transfer system as claimed in Claim 9 in 
which in a transaction the two microprocessors 25 
have computing powers which are unequal, the 
microprocessor associated with the first purse 
being of superior computing power to that asso- 
ciated with the second purse, and the micropro- 
cessors are programmed so that the transaction 30 
includes the steps of sending to the first purse the 
secret key of the second purse key pair and en- 
crypting data at the second purse using the pub- 
lic key of the second purse key pair. 

35 

11. A value transfer system as claimed in Claim 7 or 
Claim 8 wherein in a transaction the two micro- 
processors have computing powers which are 
unequal, the microprocessor associated with a 
first purse being of superior computing power to 40 
that associated with the second purse, the sec- 
ond purse includes an encryption key for a sym- 
metrical cryptographic system and the micropro- 
cessors are programmed so that the transaction 
Includes the steps of sending to the first purse the 45 
symmetrical system key of the second purse and 
encrypting data at the second purse using the 
symmetrical system key. 

12. A value transfer system as claimed in any of the so 
preceding claims wherein the computer system 
comprises a plurality of computers and the value 
meter system comprises a plurality of value me- 
ters each associated with a respective one of said 
computers. 55 



Patentanspruche 

1. Geidwertuberweisungssystem, das aufweist: 

- ein Computersystem (1a, 2a, 3a); 

- mehrere elektronische Geldborsen (1c, 2c, 
3c, 6), von denen eine Oder mehrere Mas- 
senborsen (1c, 2c 3c) ist bzw. sind; 

- Vermittlungseinrichtungen (5, 10, 11), 
durch die Borsen in computerunabhSngi- 
gen Transaktionen miteinander zur Uber- 
tragung von Geldwert kommunrzieren kdn- 
nen; 

- ein Geldwertmessersystem (1b, 2b, 3b); 

- Abbuchungseinrichtungen zum AuffOllen 
der Massenborse Oder der Massenbdrsen 
mit Geldwert gesteuert vom Computersy- 
stem Qber das Geldwertmessersystem; 

- Tilgungseinrichtungen zur Zuruckzahlung 
von Geldwert an die Massenborse oder die 
i\^assen borsen gesteuert vom Computersy- 
stem Qber das Geldwertmessersystem, 
welches eines Oder mehrere Flie&geidwert- 
kassenstande aufzeichnet, von denen der 
fur die Massenbdrse Oder die Borsen frei- 
gegebene Nettowert abgeleitet werden 
kann, der die Differenz zwischen der Ge- 
samtsumme der an die Massenborse oder 
Massenbdrsen angewlesenen Geldwerte 
und der Gesamtsumme der von der Mas- 
senborse Oder den Massenbdrsen abge- 
buchten Geldwerte ist, und wobei der Flie&- 
geldwertkassenstand hinsichtlich individu- 
eller Transaktionen unspezif isch ist. 

2. Geldwertuberweisungssystem nach Anspruch 1 , 
be! dem das Geldwertmessersystem eine 
SchnittstBlle hat, durch die jeder Fliedgeldwert- 
kassenstand auf einen Befehl hin so justiert wer- 
den kann, da(i Geldwert in der Massenbdrse oder 
den Bdrsen erzeugbar oder zerstdrbar ist. 

3. Geldwertuberweisungssystem nach irgendei- 
nem der vorangehenden Anspruche, das in jeder 
Geldbdrse Speichermittel enthalt, die einen Kas- 
senstand der Bdrse, der akkumulativ ist, spei- 
chert und in jeder Geldbdrse oder zugehdriger 
Vermittlungselnrichtung einen Mikroprozessor 
aufweist, und Transaktionen werden zwischen 
zwei Geidbdrsen durchgefuhrt, von denen die ei- 
ne, die sendende Geldbdrse, Geldwert sendet 
und die andere, die empfangende Geldbdrse, 
Geldwert empfangt, und die Mikroprozessoren 
sind so programmiert, da& bei jeder Transaktion 
der Bdrsenkassenstand in der sendenden Geld- 
bdrse um einen gewahlten und variablen Trans- 
aktionswert verringert und der Bdrsenkassen- 
stand in der empfangenden Geldbdrse um den- 
selben Transaktionswert erhdht wird. 
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4. Geldwertuberweisungssystem nach Anspruch 3, 
bei dem die Mikroprozessoren so programmiert 
sind, daQ bei einer Transaktion zwischen zwel 
Geldbdrsen der Transaktion ein wenigstens fOr 
eine der Geldbdrsen spezifischer Transaktions- 5 
identifizierer zugeteilt wird, der innerhalb dieser 
Geldbdrse einzlgartig ist. 

5. Geldwertuberweisungssystem nach Anspruch 4, 

bei dem die Mikroprozessoren so programmiert io 
sind, da& der Transaktionsidentif izierer fur die 
empfangende Geldborse speziflsch ist und in- 
nerhalb der empfangenden Geldbdrse durch Ein- 
flud einer Empfangerbdrsentransaktionsfolge- 
nummer einzigartig ist. is 

6. Geldwertuberweisungssystem nach Anspruch 5. 
bei dem die Mikroprozessoren so programmiert 
sind, da& eine Transaktion folgende Schritte ent- 
hSIt: 20 

- Senden einer Anforderungsnachricht, die 
den Transaktionsidentifizierer enthalt von 
der Empfangsborse zur sendenden Borse, 

- Einbeziehen des Transaktionsidentifizie- 

rers in eine von der sendenden Borse zur 25 
empfangenden Borse gesendeten Transak- 
tionswertnachricht, und 

- Kontrollieren der Annahme der Transakti- 
onswertnachricht in der empfangenden 
Geldborse auf der Basis der Gultigkeit des 30 
empfangenden Transaktionsidentif iziers. 

7. Geldwertuberweisungssystem nach einem der 
vorangehenden Anspruche, bei dem die Mikro- 
prozessoren so programmiert sind. da(l sie ein 35 
asymmetrfsches VerschlQsselungssystem an- 
wenden, das verschiedene offentliche und ge- 
heime Schlussel und bei dem jede Geldbdrse we- 
nigstens einen dffentiichen Schlussel des ge- 
speicherten Systems hat 40 

8. Geldwertuberweisungssystem nach Anspruch 7, 
bei dem jede Borse Daten speichert, die im Ver- 
schlQsselungssystem durch das Gomputersy- 
stem mit einem globalen, geheimen Verschtusse- 45 
lungsschlussel gezeichnet sind, wobei die ge- 
zeichneten Daten dadurch elektronisch gesichert 
sind, und die Mikroprozessoren so programmiert 
sind» da& jede Transaktion die Schritte des Ober- 
prufens gesicherter Geldbdrsendaten mittels des so 
globalen dffentlichen SchlGssels einschlieflt 

9. Geldwertuberweisungssystem nach Anspruch 7 
Oder 8, bei dem jede Geldbdrse ihr eigenes und 
einzigartiges dffentliches/geheimes Schlussel- 55 
pear im VerschlQsselungssystem speichert und 

die Mikroprozessoren so programmiert sind, da& 
die Ubertragung von Transaktionsdaten unter 



Verwendung dieser Schlussel verschlusselt und 
entschlusselt wird. 

10. GeldwertQberweisungssystem nach Anspruch 9, 
be! dem in einer Transaktion die beiden Mikropro- 
zessoren ungleiche Rechenleistungen haben, 
wobei der der ersten Borse zugehdrlge Mikropro- 
zessor eine hdhere Rechenleistung als der der 
zweiten Geldbdrse zugehdrige Mikroprozessor 
hat, und die Mikroprozessoren so programmiert 
sind, dad die Transaktion die Schritte enthSIt: 
Senden des geheimen SchlQssels des SchlQssel- 
paars der zweiten Geldbdrse an die erste Geld- 
bdrse und Verschlussein von Daten an der zwei- 
ten Geldbdrse unter Verwendung des dffentli- 
chen SchlQssels des SchlQsselpaars der zweiten 
Geldbdrse. 

11. Geldwertuberweisungssystem nach Anspruch 7 
Oder 8, bei dem In einer Transaktion die beiden 
Mikroprozessoren ungleiche Rechenleistung ha- 
ben, der zur ersten Geldbdrse gehdrende Mikro- 
prozessor eine hdhere Rechenleistung als der 
zur zweiten Geldbdrse gehdrende Mikroprozes- 
sor hat, die zweite Geldbdrse einen Verschlusse- 
lungsschlQssel fur ein symmetrisches VerschlQs- 
selungssystem enthalt und die Mikroprozessoren 
so programmiert sind, daH die Transaktion die 
Schritte enthalt Senden des Schlussel des sym- 
metrischen VerschlQsselungssystems der zwei- 
ten Geldbdrse an die erste Geldbdrse und Ver- 
schlQsselung von Daten an der zweiten Geldbdr- 
se unter Verwendung des SchlQssels des sym- 
metrischen VerschlQsselungssystems. 

12. GeldwertQberweisungssystem nach irgendei- 
nem der vorangehenden Anspruche, bei dem das 
Gomputersystem eine VIelzahl von Gomputern 
und das Geldwertmessersystem eine VIelzahl 
von Getdwertmessern aufweist, die jeweils ei- 
nem der Computer zugeordnet sind. 



Revendlcatlons 

1 . Systems de transfert de valeurs ayant un syst^ 
me d'ordinateur (1a,2a,3a); une plurality de por- 
te-monnaie ^tectroniques (1c,2c,3c,6), un ou plu- 
sleurs des porte-monnaie ^lectronlques 6tant 
des porte-monnaie k forfait; des dispositifs 
d'6change (5,10,11) au moyen desqueis des por- 
te-monnaie peuvent communiquer les uns avec 
ies autres pour transferer des valeurs au cours 
de transactions qui s'effectuent inddpendam- 
ment du syst^me d'ordinateur; un syst^me de 
comptage de valeurs (1b,2b,3b); des moyens de 
credit pour charger des valeurs dans le porte- 
monnaie k forfait ou ies porte-monnaie h forfait 
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sous le contrdle du syst^me d'ordinateur par I'in- 
term6dlair6 du systdme do comptage de valours; 
des moyens de ddbit pour d^biter des vateurs du 
porte-monnaie d forfait ou des porte-monnate d 
forfait sous te contrdle du systdme d'ordinateur $ 
par rintermSdiaire du systdme de comptage de 
valeurs; le syst^me de comptage de valeurs en- 
registrant un ou plusieurs enregistrementsde va- 
lour f lottante, ce qui permet de determiner la va- 
leur nette fournie au porte-monnaie d forfait ou io 
aux porte-monnaie S forfait, la valeur nette dtant 
ta difference entre le total des valeurs cr^ditees 
au porte-monnaie d forfait ou aux porte-monnaie 
d forfait et le total des valeurs d^bitees du porte- 
monnaie d forfait ou des porte-monnaie d forfait, is 
renregistroment do valour flottanto n'6tant pas 
sp6ctf iquo aux transactions individuelles. 

Systeme do transfort do valeurs selon la reven- 
dication 1, dans lequel le systdme de comptage 20 
de valeurs a une interface au moyen de laquelle 
chaquo enregistrement de valeur flottanto pout 
§tre ajuste sur ordre de fagon d cr^er ou d detrui- 
re une valeur contenue dans le porte-monnaie ^ 
forfait ou les porte-monnaie d forfait. 25 

Systeme de transfert de valeurs selon i'une quel- 
conquo des revendicattons precedentos compre- 
nant, dans chaque porte-monnaie, un moyen de 
stockage qui stocke un enregistrement de valeur 30 
de porte-monnaie qui est cumulatif et, dans cha- 
que porte-monnaie ou dispositif d'^change asso- 
ci6, un microprocesseur, des transactions 6tant 
effectu6es entre des paires do porte-monnaie 
dont Tun, le porte-monnaie emetteur, envoie une 35 
valour et dont I'autre. le porte-monnaie recepteur, 
revolt la valeur, les microprocesseurs 6tant pro- 
grammes pour qu'au cours de chaque transao 
tlon, renregistroment de valour de porte-mon- 
naie stocke dans le porte-monnaie emetteur, soit 40 
reduit d'une valeur de transaction choisie et va- 
riable et pour quo renregistroment de valour do 
porte-monnaie stocke dans le porte-monnaie r6- 
cepteur, soit augmente de la mdme valeur de 
transaction. 45 

Systeme de transfert de valeurs selon la reven- 
dlcatk>n 3, dans lequel les microprocesseurs sont 
programmes pour qu'au cours d'une transaction 
entre les membres d'une paire do porte-monnaie, 50 
un Idontif Icateur de transaction specif ique d au 
moins Tun des porte-monnaie et unique dans ce 
porte-monnaie soit attribue d la transaction. 

Systeme de transfert de valeurs selon la reven- 55 
dication 4, dans lequel les microprocesseurs sont 
programmes pour quo ridontif icateur do transao 
tion soit specif ique au porte-monnaie recoptour 



et soit unique dans le porte-monnaie recepteur 
par inclusion d'un numero de sequence de tran- 
saction do porte-monnaie recepteur. 

6. Systeme de transfort de valours selon la rovon- 
dication 5, dans lequel les microprocesseurs sont 
programmes pour qu'une transaction comports 
les etapos consistant e envoyor du porte-mon- 
naie recepteur au porte-monnaie emetteur un 
message de requdte incluant ridontlficateur de 
transaction, e incorporer ridontif Icateur de tran- 
saction dans un message de valeur de transac- 
tbn envoye par le porte-monnaie emetteur au 
porte-monnalo recepteur et d commander t'ac- 
ceptation du message de valeur de transaction 
dans le porte-monnaie recepteur en fonction de 
la validlte de I'identif icateur de transaction re^u. 

7. Systeme de transfert de valeurs selon I'une quel- 
conque des revendicatlons precedontes, dans le- 
quel tes microprocesseurs sont programmes 
pour utiliser un systems cryptographique asyme- 
trique ayant differentes cies publlques et secre- 
tes et dans lequel chaque porte-monnaie memo- 
rise au moins une cie publique du systems. 

8. Systems de transfert de valeurs selon la reven- 
dlcatlon 7, dans lequel chaque porte-monnaie 
stocke des donnees signees dans le systeme 
cryptographique par le systems d*ordinateur 
avec une cie d'encryptago secrete globale, la 
donn6e signee 6tant ainsi certif lee eiectronique- 
ment, et dans lequel les microprocesseurs sont 
programmes pour que chaquo transaction 
comporte les etapes consistant k verifier des 
donnees de porte-monnaie certif lees au moyen 
do la cie publique globalo. 

9. Systeme de transfert de valeurs selon la reven- 
dlcation 7 ou la revendication 8, dans lequel cha- 
que porte-monnaie stocke sa propre paire unique 
do des publique/secrete dans le systems crypto- 
graphique et dans lequel les microprocesseurs 
sont programmes pour que la transmission des 
donnees do transaction soit encryptee et decryp- 
tee par utilisation do cos cies. 

10. Systems de transfert de valeurs selon la reven- 
dication 9, dans lequel, au cours d'une transac- 
tion, les deux microprocesseurs ont des puissan- 
ces de calcul inegales, le microprocosseur asso- 
cie ^1 un premier porte-monnaie ayant une puis- 
sance de calcul superieurs e colui qui est associe 
au second porte-monnaie, et dans lequel les mi- 
croprocesseurs sont programmes pour que la 
transaction comporte les etapos consistant e en- 
voyer au premier porte-monnaie la cie secrete de 
la paire do cies du second porte-monnaie et k en- 
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crypter des donn^es dans le second porte-mon- 
naie en utilisant la cl6 publique de la paire de cl^s 
du second porte-monnaie. 

11. Systdme de transfert de valeurs selon la reven- s 
dication 7 ou ia revendication 8, dans lequel, au 
cours d'une transaction, les deux microproces- 
seurs ont des puissances de calcul indgales, le 
microprocesseur associd d un premier porte- 
nnonnaie ayant une puissance de calcul sup^rieu- io 
re k celui qui est associ^ au second porte-mon- 
naie, dans lequel le second porte-monnaie 
comporte une cl6 d'encryptage pour un syst^me 
cryptographique sym6trique et dans lequet les 
mbroprocesseurs sont programme pour que la is 
transaction comporte les stapes consistant k en- 
voyer au premier porte-monnaie la cl6 du syst6- 

me sym^trique du second porte-monnaie et k en- 
crypter des donndes dans le second porte-mon- 
naie en utilisant la du systdme sym^trique. 20 

12. Systdme de transfert de valeurs selon Tune quel- 
conque des revendications pr6c6dentes, dans le- 
quel le syst^me d'ordinateur comprend une plu- 
rality d'ordlnateurs, et le systems de comptage 25 
de valeurs comprend une plurality de compteurs 

de valeurs chacun associ^ d Tun respectif de ces 
ordinateurs. 
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